Cybersecurity researchers at Mandiant have uncovered a campaign where threat actors impersonate Microsoft Teams support staff, tricking unsuspecting users into downloading data-stealing malware. The scheme relies on convincing communication to manipulate victims into granting access to their systems. 

According to analysts from Google-owned cybersecurity firm Mandiant, the campaign is attributed to a newly tracked threat group called UNC6692. Attackers employ email flooding, targeted phishing, and rogue browser extensions as part of a multi-layered approach to gain access to enterprise networks. 

In the initial phase, attackers flood the target’s inbox with a high volume of emails to create confusion and disruption. They then follow up via Microsoft Teams from an account outside the organisation, posing as IT support staff and offering help to fix the email problem. 

As the conversation progresses, the attacker instructs the victim to apply a supposed “patch” to fix the spam issue. The link redirects to a spoofed “Mailbox Repair Utility” page, tricking the user into downloading a script that deploys a harmful browser extension called SnowBelt, researchers at Mandiant report. 

The SnowBelt extension acts as a backdoor, allowing threat actors to maintain ongoing access to enterprise accounts while moving laterally across internal networks without repeated login verification. 

After installation, the extension can download and install extra payloads such as the SnowGlaze and SnowBasin malware tools, alongside AutoHotkey scripts and a portable Python setup designed to run additional malicious operations. 

To increase the chances of compromise, the phishing site uses several social engineering techniques. When opened outside of Microsoft Edge, it triggers a persistent overlay that urges users to move to Edge, steering them toward a browser setup better suited for the attack. 

The attackers also manipulate login behaviour by using a credential-stealing script that declines the first two password submissions, prompting repeated entry. According to researchers, this approach enhances credibility while ensuring the password is collected twice, improving the accuracy of the stolen credentials. 

“The UNC6692 campaign demonstrates an interesting evolution in tactics,” Mandiant researchers said. “It combines social engineering, custom malware and a malicious browser extension while exploiting the trust users place in common enterprise platforms.”